Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Use IteratorArgument for voters#21437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
fabpot merged 1 commit intosymfony:masterfromjvasseur:voter-iterator
Apr 4, 2017

Conversation

@jvasseur
Copy link
Contributor

QA
Branch?master
Bug fix?no
New feature?yes
BC breaks?no
Deprecations?yes
Tests pass?yes
LicenseMIT

Use an IteratorArgument for injecting voters into the AccessDecisionManager.


/**
* @returnarray
* @returniterable
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

technically, this is a BC break if the calling code passes it to a function requiring an array

Copy link
ContributorAuthor

@jvasseurjvasseurJan 27, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

True, but this class is marked as internal, so the BC break should be ok.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

iterable|VoterInterface[] for helping IDE?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Would IDEs support theiterable<VoterInterface> syntax from PSR-5 ?

@stof
Copy link
Member

What is the benefit of this change ?

@jvasseur
Copy link
ContributorAuthor

The benefits are :

  • prevent instancing all the voters when not needed.
  • remove the need for the setVoters method to allow voters to depend on the AccessDecisionManager.
Koc reacted with thumbs up emoji

*/
publicfunctionsetVoters(array$voters)
{
@trigger_error(sprintf('The %s() method is deprecated since version 3.3 and will be removed in 4.0. Pass the voters to the constructor instead.',__METHOD__),E_USER_DEPRECATED);

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Do we gain anything by deprecating this method? Does it hurt to keep it?

Copy link
ContributorAuthor

@jvasseurjvasseurJan 29, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Changing the type of the$voters argument fromarray toiterable would be a BC break so this would mean having a different argument type for the constructor parameter and this method.

nicolas-grekas reacted with thumbs up emoji
@nicolas-grekas
Copy link
Member

👍

@nicolas-grekasnicolas-grekas added this to the3.3 milestoneJan 29, 2017

$adm =$container->getDefinition($container->hasDefinition('debug.security.access.decision_manager') ?'debug.security.access.decision_manager' :'security.access.decision_manager');
$adm->addMethodCall('setVoters',array(array_values($voters)));
$adm =$container->getDefinition('security.access.decision_manager');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Won't this change break theDebugAccessDecisionManager?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I updated it to grab the voters properties from theAccessDecisionManager in the same way it is doing it for the strategy :https://github.com/symfony/symfony/pull/21437/files#diff-76aa9de2473eccdc05075961beaed023R42

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

But now thedebug.security.access.decision_manager service will not be aware of the available voters, will it (see#18566 for more context)?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The voters will be injected into thesecurity.access.decision_manager service that will then be injected into thedebug.security.access.decision_manager service that will grab the voters so everything should be fine.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

But then these lines will never be executed:https://github.com/symfony/symfony/blob/master/src/Symfony/Component/Security/Core/Authorization/TraceableAccessDecisionManager.php#L62-L70 SogetVoters() would always return an empty list.

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

It tried different solutions to fix this problems but either they break BC in a worse way or introduce a risk that the voters list shown in the profiler is different than the one used by the access decision manager.

Or maybe someone else has solution to fix this problem.
Maybe this would be ok keeping it like this, the only thing broken would be getting an empty voter list in the profiler when using such an implementation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

IIRC we explicitly have this handling because there were issue otherwise when you were, for example, using the JMSSecurityExtraBundle which ships with its ownRememberingAccessDecisionManager.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

What's the conclusion here?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Did someone test the changes from this PR in a real project to ensure that the profiler still works as expected?

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

My opinion here would be to keep it like this and accept that you lose the list of voters in the profiler in some cases (you already lose the configured strategy in those cases).

The alternatives are IMO not worth it. One of them would be to pass the list of voters to theDebugAccessDecisionManager independently, but that would introduce the possibility that the list shown in the profiler is not the same as the one used by theAccessDecisionManager (if someone modify it in another compile pass). And the other possibilities I could think of would either have worst BC breaks or introduce possible differences in behavior between prod and dev environments.

* @param string $strategy The vote strategy
* @param bool $allowIfAllAbstainDecisions Whether to grant access if all voters abstained or not
* @param bool $allowIfEqualGrantedDeniedDecisions Whether to grant access if result are equals
* @param iterable $voters An iterator of VoterInterface instances
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

That's a BC break, we should acceptiterable|VoterInterface[]

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

iterable is equivalent toarray|\Traversable so we still accept arrays as before.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

iterable|VoterInterface[] would still allow IDEs to provide type hints

@nicolas-grekas
Copy link
Member

I did not look at the exact logic: inAccessDecisionManager::decideUnanimous, would it be possible to swap the twoforeach, ie iterate over voters, then over attributes inside? That may prevent instantiating some voters if eg a grant is denied early.

@jvasseurjvasseurforce-pushed thevoter-iterator branch 2 times, most recently from5a25337 to58797f3CompareJanuary 31, 2017 22:20
Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👍

@jvasseurjvasseurforce-pushed thevoter-iterator branch 5 times, most recently from926a51c toa4b574eCompareMarch 1, 2017 15:15
@nicolas-grekas
Copy link
Member

@jvasseur can you please rebase? there are failures related to this PR isn't it?

@jvasseur
Copy link
ContributorAuthor

Rebased and fix the test failure that was related to the changes in this PR.

Copy link
Member

@chalasrchalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

changelog/upgrade files should mention this

@fabpot
Copy link
Member

👍

@fabpot
Copy link
Member

A quick rebase to ensure that tests are all-right would be good as well.

@jvasseur
Copy link
ContributorAuthor

@fabpot rebased on current master.

Remaining test failures are unrelated to this PR.

@xabbuh
Copy link
Member

So did someone try this PR in a real project and made sure that this will not break the security profiler?

@jvasseur
Copy link
ContributorAuthor

I did try it on a real project and everything was working. But since I made some changes to the PR since then I will try to do it again when I have some free time.

@chalasr
Copy link
Member

CHANGELOG/UPGRADE-* still need an update.

@nicolas-grekas
Copy link
Member

ping@jvasseur

@jvasseur
Copy link
ContributorAuthor

Note added to CHANGELOG/UPGRADE.

* The`LogoutUrlGenerator::registerListener()` method will expect a 6th`$context = null` argument in 4.0.
Define the argument when overriding this method.

* The`AccessDecisionManager::setVoters()` has been deprecated. Pass the voters to the constructor instead.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

corresponding entry missing from UPGRADE-4.0.md (the ... has been removed. ...)

Copy link
ContributorAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Fixed

Copy link
Member

@nicolas-grekasnicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

👍

@fabpot
Copy link
Member

Thank you@jvasseur.

@fabpotfabpot merged commit4ec80b1 intosymfony:masterApr 4, 2017
fabpot added a commit that referenced this pull requestApr 4, 2017
This PR was merged into the 3.3-dev branch.Discussion----------[Security] Use IteratorArgument for voters| Q             | A| ------------- | ---| Branch?       | master| Bug fix?      | no| New feature?  | yes| BC breaks?    | no| Deprecations? | yes| Tests pass?   | yes| License       | MITUse an IteratorArgument for injecting voters into the AccessDecisionManager.Commits-------4ec80b1 Use IteratorArgument for voters
@jvasseurjvasseur deleted the voter-iterator branchApril 4, 2017 21:00
@fabpotfabpot mentioned this pull requestMay 1, 2017
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@fabpotfabpotfabpot left review comments

@stofstofstof left review comments

@xabbuhxabbuhxabbuh left review comments

@nicolas-grekasnicolas-grekasnicolas-grekas approved these changes

@chalasrchalasrchalasr approved these changes

Assignees

No one assigned

Projects

None yet

Milestone

3.3

Development

Successfully merging this pull request may close these issues.

7 participants

@jvasseur@stof@nicolas-grekas@fabpot@xabbuh@chalasr@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp